From: 

Sent: 

To: 







PM 


1 


k he 

hlC 


Cc: I 

Subject: Reminder - Urgent FOIA Request - Deadline - Friday. August 3. 2007 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Just a reminder from ucf 
Thank you, 


Please be sure to review your files for anything concerning CIPAV technology. 


] 


— Original Mpgam*— 

From: | 

Sent: Thursday. July ?6. MQ7 PM 

To: 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 06-16-2006 BY 60322uclp/stp/rds 


b6 

b7C 


b6 

b7C 



Cc; . 

Subject: urgent roiA Kequ^ • EDeadiine - Ptiday, August 3, Z007 

Importance: High 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Good Afternoon, 



be 

b7C 


P®'' UC | I please provide hard copies of ALL documentation, to include e-mails, conceming"CIPAV 

Technology. All information is to be turned In by COB Friday. August 3rd. 2007 . Additionally, it is requested that you 
lease out all documen ts in chronological order. If I am not in the office that day, please take your documents to 


t 


Thanks, - 
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Management Assistant 
Operational Technology Division (OTD) 
Cryptologic and Electronic Analysis Unit (CEAU) 
KChantllly) 
iQuantico) 

kCell) 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 



Monday. July 30. 5007 3:53 PM 


b6 

b7C 


Prom: 

Sent: 

To: 

Cc: 

Subject: 


Kt; urgent huiA Kequesi - ueaaiine - i-naay, August d, Mr 


SENSITIVE BUT UNCLASSIFIED 
NON»RECORD 


How much, If anything, does CIPAV have to do with the IPAV that was developed In our group back In 
2001 ? 


P. 


> SENSITIVE BUT UNCLASSIFIED 

> NON-RECORD 

> 


> Good Afternoon, 

> 

> Per UC l 

> documentation, to Include e-mails, concerning CIPAV 


please provide hard copies of ALL 


> Technology. All Information is to be turned in bv COB 

> Friday. August 3rd. 2007 . Additionally, it is requested that 

> you please put all documents in chronological order, if I am 

> not in the office that day, please take your documents to 


> Thanks, 


> Management Assistant 

> Operational Technology Division (OTD) 

> Cryptologic and Electronic Analysis Unit (CEAU) 
[(Chantilly) 

(Quantico) 

(Cell) 




> SENSITIVE BUT UNCLASSIFIED 


ALL INFOPMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 06-16-2008 BY 60322uclp/st.p/E!is 



be 

b7C 


be 

b7C 

b2 


SENSITIVE BUT UNCLASSIFIED 
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b6 

b7C 


From: 

Sent: 

To: 

Cc: 

Subject: 

importance: 


FW: Urgent FOIA Request < Deadline - Friday, August 3, 2007 
High 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


J 


I want to clear up any misconceptions you have about I Jand my role here. We are here to provide you with legal 

advice concerning Science and Technology matters. Also. I [ is my backup for CEAU and my other units, just as I am 

hi s backup fey his units in his absence, it Is improper for you to send general "taskers" to either one of us, and particularly 
to I [if I am here. 


Assistant General Counsel 
Scienc e and Technology Law Unit 
Phone i I 

Cell ohone l I 

Sec ure oho nel I 

I 


ALL IKFOPHATION COHTAIMED 

HEREIN IS UNCLASSIFIED h2 

DATE 06-16-2008 BY •60322uclp/stp/Eds b6 

b7C 


•—Original Mess age — 

From: I 

Sent: Friday. Jutv 27. ?0Q7 4:45 PM~ 

To: 

Subject: 

Importance: 


:fW; Urgent pUia Kequest - ueaaiine - r-nday, August 3, 
High 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


b6 

b7C 


Good Afternoon, 


Per a request from CEAU UC l I he wanted you both to review the Urgent FOIA request below. If you 

have any questions, please contact me at the below numbers. 

b6 

b7C 


— CWginai Messa ge — 

From: [ 

Sent: 

To: [ 


(Fsn i , 

fOTDHFB nJ ~ 
[ VQTDWFBnt 


loTD) (CON) 

h? 2:06 i 

rOTD) (FBI)£__ 
• ^QTDU COFnr 
IfOTD^TP 


Tnutsdav.3ulv26.20p7 2:06 PM 

II 
(( 

OTD^fFgiT 


(CON), 

.(ona 


1 

tessjl 


fOTD^ (' 


SON)[ 

IkOTD 


JOTD) (FBI^ 

ro5)fCTH);1. 


OT P) (FBn^ 


JOTD) (CON); 

10TD)(CON);L 

OismmSi 


rroNii 


i OT PKFBnJ 
rOTD)(CON)r ^^ 




OTDI fFBl 


(CON) 


los) (0)N);C 


MiOY4d:UT 


m 


I2ip) (FBI)I , 


IfOTP^ fCQN>^ 


raTD)(CON)J 

[(OTD)(FB I);r 


I^OTP) 




3 


OTP) rFBDI 


OTP^ fF BnrF 




IroTp' 


(OTP) (FBI) 










|(OTP)(CON);[ 



(OTP) 


(OS) 
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Fririaw hilu97 9nn7^ ctftPM 


b6 

b7C 


c 


From: 

Sent: 

To: 

Cc: 

Subject: 


Rt: Urgent FOIA Request - Deadline - Friday, August 3, 2007 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


There is nothing to review in your e-mail to the unit concerning the Urgent FOIA request. In fact, if there was a copy of th^ 
FOIA attached, there would be nothing for us to review. When a FOIA request goes out from HQ, the persons receiving 
the request must gather all responsive documents, note any o^ncerns they have about the release of those documents, 
and send it to the person that sent the request. The FBI has a FOIA unit that, In conjunction with the FOIA Litigation Unit 
of OGC, reviews what is submitted to them to determine what will must be released and what we will claim an exception 
for. 


Assistant General Counsel 
Scienc e and Technolog y Law Unit 
Phonei F" ~| 

Cell phonel I 

Secure ohone!! I 

Fax I 1 


Original Mp^saop — 

Ffoms I r OTP^ (CON) 

Sent: Jridav. lulv 27, 2007 4:45 PM 

To: I I (OGQ (FBI)l |(OGQ (FBI) 

Subject: . FW: Urgent FOIA Request - Deadline - Friday, August 3, 2007 

Importance: High 

b6 

SENSITIVE BUT UNCLASSIFIED b7C 

NON-RECORD 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

DATE 06-16-2008 BY 60322uclp/stp/Eds 


b6 

b7C 

b2 


Good Afternoon, 

Per a request from CEAU UC l I he wanted you both to review the Urgent FOIA request below. If 

you have any questions, please contact me at the below numbers. 

v/r, 

I — I 


b6 

b7C 


— Original Message — ' 

From: | 

Sent: 

To; 


Cc: 

Subject: 


Thursday, Jul7 


l(OTD) (CON) 

^ 2007 2:06 PM 




lOTOl 


taa^) (coN)[ 


QTDHO 


— Ton 

tnzEni 

rPHn4 










rbtDYr&N) 






lOTO) (rei);| 
K0S)CC0N): 


IOTOHEEU 


^2)((5n)IIZ 

lOTP^ /c^ 
FBDJ 


frerrWrm 


Fi^OTl b)(FBI)r 

-js2ia£_I 


l(OTD)(CON) 


; 16tP) CFBlil 


IfQTP^ fFRIV.F 




l(OTO) (CON);l 


TfOTO) 


KOTO) (CON); 




Tr 


l(OS) (CON) 
jorb) (CON) 


los) (CON);[ 


msum 


OTDjXFBDf 






LQTPHFBOr 

JOTD)CFBI)l_ 


;au>)i(£su) 


t( piiCON)i_ ^ 


JOTb) 


Urgent FOIA Request - Deadline - Friday, August 3, ^07 
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Duplicate 2-3 


Importance: High 

SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Good Afternoon, 

Per UC Pandelides, please provide hard copies of ALL documentation, to include e-mails, concerning! PAV 
Technology. All information is to be turned in by COB^'Fridav. August 3rd. 2007. Additionally, it is requested that you 
please put all documents in chronological order. If I am not in the office that day, please take you^ocuments to 
Jennifer Ashinhurst 

Thanks, 

Leslie 

Leslie Delp 

Management Assistant 
Operational Technology Division (OTD) 

Cryptologic and Electronic Analysis Unit (CEAU) 

571-223-3609 (Chantilly) 

703-985-1252 (Quantico) 

202-538-1952 (Ceil) 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 
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Friday. Juh/^r 


r 


From: 

Sent: 

To: 

Subject: 


FW: urgent FOIA Request - Deadhne - Friday, August 3, 2007 


Importance: High 

SENSITIVE BUT UNCLASSIFIED 
NON»RECORD 


ALL IHFORHATION COHTAINED 

HEREIN IS UNCLASSIFIED 

DATE 06-16-2008 BY 60322uclp/scp/rds 


•b6 

b7C . 


You might want to send this to| |too. 


Since 


was the UC I assume he is also responding to this? 


intormation Tecnnoi^y Specialist 
Operational Technology Division 


b6 

b7C 

b2 


— Original Mess age — 

From: I 


Sent: 

To: 


Thursday. July 

(FBI)| ■ ' 

(OTP) (FB nl 


](OTD) (CON) 
26^2007 2:06 PM 


■(conI 




(QTO) (FBI)[I" 

rimucoF^ 

Tqtp)^ 




1 


rnm^ rrfMsi 


mDlICON) 




, IcOT PK^ 


:bTP)(FBI][ 

30TDMFBn£ZI_ 

hrx\ f^N) i 

|(oto)(fbd J 


OTP) (CON) 
OTP) (CON);, 
10TP)fTON 


:6tP) (F|t3 

tgfa) (FBI ) 


Cc 

Subject: 

Importance: 




J0S)(C0N)[ 





I^)(FBi)T\ 

kOTD)(M 




JOTDTTO 


JOTD) (CON) 


Urgent FOIA Request - Oeadilne • Friday, August 3, 2007 
High 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Good Afternoon, 


Per UC l I please provide hard copies of ALL documentation, to include e-mails, concerning CIPAV Technology. 

All information is to be turned In by COB Friday. August 3rd. 2007 . Additionally, it is requested th at vou please put all 
documents In chronological order. If I am not in the office that day, please take your documents tc j 1 


Thanks, 


b6 

b7C 


Management Assistant 
Operational Technology Division (OTD) 


55 


Cryptologic and Electronic Analysis Unit (CEAU) 
(Chantilly) 

(Quantico) 

(Cell) 


h2 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


\ 
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From: | 

Sent: Monday. June 25, 2007 1 :30 PM 

To: I 

Cc: I 

Subject: FW: Traveler Program 


b 6 

b7C 


ALL INFORHATIOM CDNTAIHED 

SENSITIVE BUT UNCLASSIFIED HEREIN is UNCLASSIFIED 

NON-RECORD DATE 06-16-2008 BY 60322uclp/stp/i:ds 


h ta lked to I I about thl somoram exota ininq that you would be discussinq l I 

bnalvsis responsibility with! I said that they were looking to evolve this into more aggre ssive 

coverag e - what I took to mean CIPAV and PIAS5 T analysis. I told herthatwe andl 

I should be kept on the ECs as "read and clear" for the time being. ’ ’ 


b6 

b7C 

b2 

b7E 


— Original Message 
From: I 

Sent: _ Mnnriav 

To: 

Cc 


SubiJect: 


re: Traveler program 


b6 

|b7C 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


Please give me a call when you get a chanc 4 ~ _ I Computer Intrusion Section, National Cyber 337 ^ 

Investigative Joint Task Force (NCIJTF), Investigative CpVrations Croup (lOG), is in the process of formulating a ^2 

"standard ized" Traveler Program for implementation bv FBI Field Divisions in coordination with our Intelligence Community 
Partners. i ~ ^ ^2 


My past experience working these types of operations (throug h the Honolulu Di vision^ develo ped some basel ine 
assessment whereby the fniinwinn t^rimir/ai personnel assisted:] |OTD, CEAU; I B OSU: 

I |SPTU; and I |(former Program Manager). The NCUTF is working closely with the WFO- 

* NVKA, LIK-Ib, in establishing ineir traveler operation(s). 


b7E 


b6 

b7C 


I look fon/vard to' speaking with you. 


SS/I 

CyD7CTS7C3TD=2" 

NCIJTF /PRC -DET Team Lead 


(STAG) 


be 

b7C 

b2 


— Original Mpcaop — 

From: I 

Sent: Wednesday. June 20. 2007 12:04 PM 

To: 

Cc: 

Subject: 


Travel^- Program 


b6 

b7C 


SENSITIVE BUT UNCLASSiFIED 
NON-RECORD 


b6 

b7C 


HI 

This is in furtherance of the voice message I ieft for you this morning. As i understand it, you're managing the Traveier 


1 







Secure Technologies Exploitation Group 
Cryptologic and Electronic Analysis Unit (CEAU) 
Electronic Surveillance Technology Section 
Operational Technology Division 
ERF Extension 



be 

b7C 


b2 

be 

b7C 


SENSITIVE BUT UNCLASSIFtED 
SENSITIVE BUT UNCLASSIFIED 
SENSITIVE BUT UNCLASSIFIED 




2 





From: 

Sent: 

To: 

Subject: 


SECRET 
RECORD 319 


Wednesday, July '2b, l^UU/ i;U6 HM 
DICLEMENTE, ANTHONY P. (OTD) (FBI); 
RE: FOIA request from Wired News 


b6 

b7C 


DATE: 08-15-2008 

CLASSIFIED BY 60322uclp/stp/rds 

REASOH; 1.4 (c) 

DECLASSIFY ON: 08-15-2033 


Probably best discussed in person. After our 4:00? 


b6 
b7C 

SECRET 
RECORD 319 


— CWginal Message — 

From; DICLEMENTE, ANTHONY P. (OTD) (FBI) 

Sent; Wednesday. July 25, 2QQ7 12:34 PM 

To-. I I 

Subject; RE: FOIA request from Wired News 


My understanding is that the tool itself is unclassified. If ttie tool was classified, we would have had to pursue DAG 
approval to use it in a criminal investigation. 


Anthony P. DiClemente 

Chief, Data Acquisition and Intercept Section 

Operational Technofogv Division 


All INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 

be 

b7C 

b2 


— Ori ginal Message — 

From: I 

Sent; ‘ Wednesday. July AH 

To: I ^ DICLEMENTE, AfmiONY P. (OTD) (FBI) 

Subject: RE: FOIA request from Wired News 

SECRET 
RECORD 319 


be 

b7C 


That helps. The FOIA attorney explained that if the tool was Law Enforcement sensitive, that it would not be 
protected. It could be "watered down", but we might have to provide something. Since, the specifics (which I take 
to be what is being requested) are SECRET, that should help. Thanks! 



— Original Message- 

From: I 


SC 


SubJecb 


Wprin«da v. July 25, 2007 11: 16 AM 

](OTD) (FBI); DICLEMENTE, ATfTHONY P. (OTD) (FBI) 


RE: FOIA request from Wired News 


SECRET 
RECORD 319 


If I understand the questions that Mr. Poulsen would like answered, such as how we deliver the system, etc, 
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etc. are all held SECRET. The 


the details are classified SECRET: 
actual compiled code, for obvious reasons, cannot be secret. However, the workings thereof would, by 
necessity, as they relate to SECRET source code, etc, are Sensitive. 


hi 


Bill 


— ^^Oilginal 

Proni: I I , 

Sent. Wednesday. Jutv 25. 2007 10:58 AM 

To: I lOIOEMENTE. ANTHONY P. (OTD) (FBI) 

Subject: . r::: raiA request mxn Wired 


SENSITIVE BUT UNC 




NON-RECORD 


b6 

b7C 


Are these details classified SECRET? 
Original Mess age — 


From: 

Sent 

To: 

Suldect: 


] 


Wednesday, July 25, 2007 8:36 AM 
DiaEMENTE, ANTHONY P. (OTD) (FBI);[ 
RE: FOIA request from Wired News 


SENSITIVE BUT UNClJtSSIFIED 
NON-RECOR'^ / \ 



In addition, I have always insisted that the underlying technical details of the CIPAV are classified. 
Therefore, we should be shielded from this. 


— Original Message 


From: 

Sent: 

To: 

Cc 

Subject 


OICLEMENTE, ANTHC»iY P. (OTD) (FBI) 

T.iPcAm 

i 

RE: FOIA request from Wired News 


SENSITIVE BUT UNCbAgglFIED 
NON-RECORD \ 


Recommend you contact the FBI/OGC FOIA Litigation Unit We have been able to utilize the 
FOIA exemption (b) 7(e) successfully to protect law enforcement techniques and methods such 
as the CIPAV in the past 

be 

Anthony P. DiClemente 

Chief, Data Acquisition and Intercept Section 

Operational Technology Division 


— Original Mess age — 

From: 

S&ntt 
To: 

Subject 


TTjesoaTTWT^rzroT’rurTM 

biCLEMENTE, ANTHONY P. (OTD) (FBI) 
FW: POIA request Trom Wired News 


unci:as^ed 


he 

hlC 

h2 
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be 

b7C 


dlTony, 

See attached email string, it appears that there was a FOIA request concering the CIPAV 
used in the Seattle case. Looks like Seattle CDC is looking for assistance. Could you please 
provide me with guidance. Thanks! 


— CWginal 

From: 

Sent: 

To: 

Subjecb 



FW: FOIA request from \ATired News 


UNCi^ft&Sj^ED 

NOIfflECbRD* 


FYl. 

SS> ^ . ~ I 

Operational l ecnnoi^y Division 
Data Acquisition and Intercept Section 
Cryptologic and Electronic Analysis Unit 
finftwara Dfivelp pment Group 
(desk) 

(cell) 

(fax-undass) 


b6 

b7C 

b2 


— Original — 

From: 

Sent: 

To: 

Subject: 


FW: FOIA request from Wired News 


UNCbWt^lED 

NOf^-REC^>f^ 




FYl, we received the below FOIA request and responded through our CDC SSA 


1 understand there was a flurry of activity last week related to the conviction of the defendant, 
the subsequent media attention, and misinformation being circulated about the manner by 
which this case was handled by my squad. 


Please let me know if anyone has any pending issues concerning the above. 


Thank you 


\U 


— Original Mcyinn 
Frt>m: | 

Sent: lUKfla/ JiilW iirsjfiW" 

To: 

Cc: 

Subject: hwi KJiA request mm wiru News 


be 

b7C 


be 

b7C 


be 

b7C 


be 

b7C 
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UNCLASSIFIED 

NON-RECOf^ 


a 


Your inquiry was forwarded to me for resolution since I am the Field Office FOlPA 
Coordinator. 

The technique you mention in your e-mail is a sensitive lavi/ enforcement technique. The 
Seattle Field Office does not believe it appropriate to release any information about this 
technique, beyond that which was contained in the affidavit, and recommends that you consult 
with the folks in the Cyber Division and/or the Operation Technology Division for their opinion . 
prior to processing the request. 

If I may be of further assistance please let me know. 

Thank vou. 


Supervisory special Agent 

Chief Division Counsel ' be 

Seattle Division—, b7c 


b6 

b7C 


— Original 

From: 

Sent: 

To: 

Cc 

Subject: 




Monday. July 23.2007 


FW: FOIA request from Wired News 


UNCpttgf^D 

NON>RECO^ 


b6 

b7C 


— Original Mesi 

Fram: | 

n 

Sent: 


Monday, .liilv n ?n07 17:07 PM 

To: 

L 


Subject: 


FW: FOIA request from Wired News 


UNC^*g|jFIED 

NON^ECet^ 


b6 

b7C 


— Original Mes 
From: 


Sent: 

Monoav, juiyzj, ii:bbAn 

To: 

1 

Subject 



UNClXS^FIED 

non^ecord" 


We received a FOIA request from Keven Poulsen, Wired News, addressed to FBI HQ, 
'seeldng any documents, including but not limited to electron records, concerning the FBI's 
development and utilization of so-called "Computer and Internet Protocol Address Veridler" 
[CIPAV]'. I already did a ACS search and did not come up with any information. 

I bring this to your attention, because the writer mentioned the following, "A CIPAV is 
described in a June 12, 2007 application and affidavit filed by FBI Special Agent Norman B. 
Sanders, Jr of the Seattle Field Office as something that can be transmitted electronically to 
an investigation target, and , once activated, 'will cause the activating computer to send 
network level messages, including the activating computer's originating IP address and MAC 
address, other variables, and certain registry-type information' to a computer under the FBI 
control." 
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Do you know where this information is located in order to respond to the FOIA request? 

Thanks for your assistance. 

I I b6 

Legal Aaminisiraiive specialist hic 



DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence 

Investigations 

DECLASSIFY ON: 20320725 

SECRET 


DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 

DECLASSIFY ON: 2032072S 

SECRET 

DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 

DECLASSIFY ON: 2032072S 

SECRET 


DERIVED FROM; G«3 FBI Classification Guide dated 1/97. Foreign Counterintelligence Investigations 

DECLASSIFY ON: 20320725 

SECRET 



^EeftST 


From; 

Sent: 

To: 

Subject: 

Importance: 

[ 

c 

1 

Tuesday. July 24. 2007 3:21 PM 
FW: SF Newspaper Ad Response 
High 

] b6 

^ ‘ b7C 

SECRET 

RECORD 


l(St 

s 

DATE: 06-15-2008 

CLASSIFIED BY 60322ucip/stp/cds 

REASON: 1.4 (c) 

DECLASSIFY ON: 08-15-2033 ^ 


See the entire thread. This may be fall out from the CIPAV article and news story. In case you didn't know, a 
complete story appeared on Fox News a day after the story broke. A former AUSA appeared on the show and talked 
exclusively about the capability of the tool and the legal issues concerning it. 


SS A I 

Operational Technology Division 
Data Acquisition and Intercept Section 
Cryptologic and Electronic Analysis Unit 
Software Develo pment Group 
|(desk) 

(cell) 

(fax-unclass) 


b6 

b7C 

b2 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 


—Original Mess age 

From: I 

Senb 
To: 

Subject: 

Importance: 


Tuesday. July 24. 2 




T^TTSFTTevwpSpSnBTRSpSn 

High 


I5e 


SECRET 

RECORO 



b6 

b7C 


bl 


fyi 


— Original Mess age — 

From: I I 

Sent: fridav. Jutv M.' M07 5:00 W '' 

To: I I 

Subject: FW: SF Newspaper Ad Response 

Importance: High 


SECRETr 

RECQRE 


s 


) 


b6 

b7C 


bl’ 


— Original Mess age — 

From: | 

Sent: imacnau Iiin/I/ yiHi/ i ■ . i nB 

To: 

Subject: hW: bh NOWSpsper M KSSponss 

Importance: High 

SECRET 

recorI 



b6 

b7C 


bl 


25 










SECRET 

RECORD 



bl 



— Original Messa ge: — 

From: j 

Sent: 

To: 

Subject: 


Jhohfbi) 


RE; SF Newspaper Ad Response 


SECRET 

RECORI 




(S) 


b6 

b7C 


bl 


My replacements are 

n 


ss^ 

Houston uivision 
Squad CI-3 


be 

b7C 

b2 


(S) 


Original iH ia rrm a 

From: 

senb Hnndav. Hi. 

To; I 

Subject: FW: SF Newspaper Ad Response 


SECRET. 


RECORD 


bl 




[I know you both have successors but 1 didn't know who they were. 

I'm back in NY and saw this traffic. I don't know if this has any implications for SQ. 


be 

b7C 


— Original 

From: i 

Sent: Monday, July 16, 2007 4:26 PM 

To: 


be 

b7C 


(S) 


Subject: 

SECRET 

REGQRDi 


/: SP Newspaper Ad Re^nse 


bl 


Reporting from CHICAGO ref the LA info I sent around earlier today. 
Thanty , 


— Original Massaop- 

From: 


be 

b7C 


Z7 


















From: 

Sent: 

To: 

Cc: 

Subject: 


Tuesday. July 24. 2QQ7 8:29 AM_ 


b6 

b7C 


RE: CIPAV^ 


SENSITIVE BUT UNCbi^FIED 

noFTrecord \ 


DATE: 08-15-2003 

CLASSIFIED BY 60322uclp/st.p/rds 

REASON: 1.4 {c) 

DECLASSIFY ON: 08-15-2033 


(S) 


SSA I I 

Acting Unit Chief 

Data Intetcept Technology Unit 


ALL IHFOFNATIOH CONTAINED 
PJEREIH IS UNCLASSIFIED EXCEPT 
WHERE SHOUN OTHERUISE 


— Original 

From: 

Sent: 

To: I 

Cc 

Subject: 


] 


iessaoe — 

Yu^av'.lulv 14. i.VTTS^ 


UPAV ?' 


SENSITIVE BUT UNfeU^IFlEP 
NON-RECORD 


be 

blC 

h2 


b6 

b7C 


Heiio Guy, 

f 

hi 

I l is tdy here, and he is handling this matter. Can you advise him who he should contact to find out more 

about CIPAV? 

Thanks again, 

I b6 

I b7C 

Assistant Legal Attach^ b2 

Frankfurt. Germany 


(SI 


CLkS^X 


SENSITIVE BUT UNCLASSIFIED 
SENSITIVE BUT UNCLASSIFIED 












To: 

Cc: 

Subject: 


Kb: JiH>UNU Request for t-bl T66I 


be 

b7C 


UNCLASSIFIED 

NON-RECORD 


ALL IKFOPHATION CONTAIHED 

HEREIN IS UNCLASSIFIED 

DATE 06-16-2008 BY 60322uclp/stp/rds 


~| is correct in his hesitancy, based on liaibility concerns. I don't know of any ponies addressing this issue, 
pernaps this would be a good topic for the NCIJTF? Let's look into this after the open house? 

SSA l 

Cyber /C3IU-2 

I- Work 
•Fax 

-Cel! 


"If you cb3ni team to laugh at troubles, you won't have anything to laugh at whan you grow old.' • Edward IV. Howe 


be 

b7C 

b2 


— Original Message — 

From: I 

Sent! ^ 

To: C , 

Subject: RE: JTF-6N0 Request for FBI Tool 






UNCLASSIFIED 

NON-RECORD 


b6 

b7C 


On a case-by-case basis, we may be able to assist. But am weary to just hand over our tools to another Gov't agency 
without any oversight or protection for our tool/technique. 

fWal nal Mpgatw 

From: I I 

Sent: Monday. July 23, 2007 11:46 AM 

TO! I 

CC! ! 

Subject: FW: JTF-GNO Request for FBI Tool 

UNCLASSIFIED 
NON-RECORD 


b6 

b7C 


b6 

b7C 


The NCIS and JTF-GNO has a sked for assistance from the FBI in obtaining different FBI tools for use l 1 1 
talked with| KOTD) this morning and he said the FBI can't share FBI tools with other agencies 

without an muu oetween me two agencies. Do you know of any MOU ponies - 1 could use in drafting up an MOU? 

Any assistance will be appreciated. 

Thanks! 
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— Ori ginal Message — 
From: | 

Sent: 

To; 




-ITaIi 


Subject: JTF-GNO Request for FBI Tool 


UNCLASSIFIED 

NON-RECORD 


be 

b7C 


The Joint Task Force * Global Network Operatiorts (JTF-GNO) has asked the FBI for a copy of a tool called 
"Compu ter Internet Protocol Address Verifier'' (CIPAV). Please advise where I could go to find this tool for release 


Thanksl 


NCIS Liaison - FBI Cyber Division 


be 

b7C 

b2 


UNCLASSIFIED 


UNCLASSIFIED 


/ ■ 


UNCLASSIFIED 
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h 6 

hlC 


From: 

Sent: 

To: 

Subject: 



r 


RE: SeahleCIPAVC^ase 


ALL lUFORlIATION COMTAIHED 

SENSITIVE BUT UNCLASSIFIED herein is unclassified 

NON»RECORD date O6-I6-2008 by eoszsucip/stp/rds 


t have forwarded this e-mail to management and the press officers, along with a link to the wired.com story. I have also 
verbally briefed management. 


— Original 

From: 

Sent: 

To; 

Cc: 

Subje^ 



“S5SfB5nPm3S5 


.007 2:35 PM 

^(SE)(FBI) _ 

rOTD) (FBI); DIOEMEMTE, ANTHONY P. (OTD) (FBI)[ 


SENSITIVE BUT UNCLASSIFIED 
NON-RECORD 


](OTD)(FB0 


b 6 

b 7 C 


I just wanted to reiterate our telephonic discussion, so that you can pass this information on to your Executive 
Management As we are all aware, the Seattle bomb threat case has gone public on several news and technical 
websites, providing detailed information on someof the capabilities of this particular tool. This obviously causes us ^7^ 
some concern as we tiy to make every effort possible to protect the FBI's sensitive tools and techniques. That being 
said, with a good possibility that future inquiries will be forthcoming to Seattle Division regarding how the FBI was able 
to collect the information that ultimately helped solve this case, we want to ensure that the capabilities of the CIPAV 
are minimized, if discussed at all. This and many tools deploy^ by the FBI are law enforcement sensitive and, as 
such, we request that as little information as possible be provided to as few individuals ais possible. Thanks and please 
let me know if you have any questions. 


Unit Chief ' 

Cryptologic and Electronic Analysis Unit (CEAU) 


SENSITIVE BUT UNCLASSIFIED 


SENSITIVE BUT UNCLASSIFIED 


19 


From: 

Sent: 

To: 

Subject: 


^M!Ylg. 2097 3:57 PM 


FW^ FBI’s Secret Spyware Tracks Down Teen Who Made Bomb Threats 


b6 

b7C 


UNCLASSIFIED 

non-record lETFoimTioK co^rrAiUED 

HEREIN IS UNCLASSIFIED 

DATE 06-16-2008 BY 60322uclp/stp/Ed3 

Wow you're good! 


— Original 

From: 

Sent: 

To: 

Subject: 




r 


hw: hBi's beoet bpyware i racxs uown Teen wno Made Somb 'Yhre^ 


UNCLASSIFIED 

NON-RECORD 


When did we get tools like this? Oh wait, now I remember. Anyway, glad to see it all spelled out in Wired. 


—“Original 

From: 

Sent: 

To: 

Subject: 


Message — 


FSrs Seaet Spyware Tracks Dowi Teen Who Made Bomb Threats 


] 


UNCLASSIFIED 

NON-RECORD 


b6 

b7C 

b2 


i>6 

b7C 


This looks like "the good stuff' that the criminal people never get to use. Interesting that it's in an criminal 
affidavit. 


FBFs Secret Spyware Tracks Down Teen Who Made Bomb Threats 

Wired.com 
2:00 AM 
By Kevin Poulsen 
July 18, 2007 

SEATTLE, WA — FBI agents trying to track the source of e-mailed bomb threats against a Washington 
high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor 
him and report back to a government server, according to an FBI affidavit obtained by Wired News. 
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The court iiling offers the first public glimpse into the bureau's long-suspected spyware capability, in 
which the FBI adopts techniques more common to online criminals. The software was sent to the owner 
of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. 
The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded 
guilty to making bomb threats, identity theft and felony harassment. In an affidavit seeking a search 
warrant to use the software, filed last month in U.S. District Court in the Western District of 
Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol 
address verifier," or CIPAV . , 

FBI Spyware In A Nutshell 

The full capabilities of the FBI 's "computer and internet protocol address verifier" are closely guarded 
secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, 
according to a bureau affidavit acquired by Wired News. 

• IP address 

• MAC address of ethemet cards 

• A list of open TCP and UDP ports 

• A list of running programs • The operating system type, version and serial number 

• The default internet browser and version 

• The registered user of the operating system, and registered company name, if any 

• The current logged-in user name 

• The last visited URL 

Once that data is gathered, the CIPAV begins secretly monitoring the computer's internet use, logging 
every IP address to which the machine connects. All that information is sent over the internet to an FBI 
computer in Virginia, likely located at the FBI' s technical laboratory in Quantico. Sanders wrote that the 
spyware program gathers a wide range of information, including the computer's IP address; MAC 
address; open ports; a list of running programs; the operating system type, version and serial number; 
preferred internet browser and version; the computer's registered owner and registered company name; 
the current logged-in user name and the last-visited URL. The CIPAV then settles into a silent "pen 
register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP 
address of every computer to which the machine connects for up to 60 days. 

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance — which does not 
capture the content of the communications — can be conducted without a wiretap warrant, because 
internet users have no "reasonable expectation of privacy" in the data when using the internet 
According to the affidavit, the CIPAV sends all the data it collects to a central FBI server located 
somewhere in eastern Vii^inia. The server's precise location wasn't specified, but previous FBI internet 
surveillance technology — notably its Carnivore packet-sniffing hardware — was developed and run out 
of the bureau's technology laboratory at the FBI Academy in Quantico, Virginia. 

The FBI 's national office referred an inquiry about the CIPAV to a spokeswoman for the FBI 
Laboratory in Quantico, who declined to comment on the technology. The FBI has been known to use 
PC-spying technology since at least 1999, when a court ruled the bureau could break into reputed 
mobster Nicodemo Scarfo's office to plant a covert keystroke logger on his computer. But it wasn't until 
2001 that the FBI' s plans to use hacker-style computer-intrusion techniques emerged in a report by 
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MSNBC.com. The report described an FBI program called "Magic Lantern" that uses deceptive e>mail 
attachments and operating-system vulnerabilities to infiltrate a target system. The FBI later confirmed 
the program, and called it a "workbench project" that had not been deployed. 

No cases have been publicly linked to such a capability until now, says David Sobel, a Washington, D.C., 
attorney with the Electronic Frontier Foundation. "It might Just be that the defense lawyers are not 
sufficiently sophisticated to have their ears perk up when this methodology is revealed in a prosecution," 
says Sobel. "I think it*s safe to say the use of such a technique raises novel and unresolved legal issues." 
The June affidavit doesn*t reveal whether the CIPAV can be configured to monitor keystrokes, or to 
allow the FBI real-time access to the computer's hard drive, like typical Trojan malware used by 
computer criminals. It notes that the "commands, processes, capabilities and ... configuration" of the 
CIPAV is "classified as a law enforcement sensitive investigative technique, the disclosure of which would 
likely jeopardize other ongoing investigations and/or future use of the technique." 

The document is also silent as to how the spyware infiltrates the targets computer. In the Washington 
case, the FBI delivered the program through MySpace*s messaging system, which allows HTML and 
embedded images. The FBI might have simply tricked the suspect into downloading and opening an 
executable file, says Roger Thompson, CTO of security vendor Exploit Prevention Labs. But the bureau 
could also have exploited one of the legion of web browser vulnerabilities discovered by computer- 
security researchers and cybercrooks — or even used one of its own. "IPs quite possible the FBI knows 
about vulnerabilities that have not been disclosed to the rest of the world," says Thompson. "If they had . 
discovered one, they would not have disclosed it, and that would be a great way to get stuff on people's 
computer. Then I guess they can bug whoever they want." 

The FBI 's 2008 budget request hints at the bureau's efibrts in the hacking arena, including $220,000 
sought to "purchase highly specialized equipment and technical tools used for covert (and) overt search 
and seizure forensic operations.... This funding will allow the technology challenges (sic) including 
bypass, defeat or compromise of computer systems." With the FBI in the business of hacking, security 
companies are in a tight place. Thompson's LinkScanner product, for example, scans web pages for 
security exploits, and warns the customer if one is found. How would bis company respond if the FBI 
asked him to turn a blind eye to CIPAV? He says he's never fielded such a request. "That would put us in 
a very difficult position," Thompson says. "I don't know what I'd say." 

The Washington case unfolded May 30, when a hradwritten bomb threat prompted the evacuation of 
Timberline High School in Lacey, Washington. No bomb was found. On June 4, a second bomb threat 
was e-mailed to the school from a Gmail account that bad been newly created under the name of an 
innocent student. "I will be blowing up your school Monday, June 4, 2007," the message read. "There are 
4 bombs planted throughout Timberline high scbooL One in the math hall, library hall, main office and 
one portable. The bombs will go off in 5 minute intervals at 9:15 AM." In addition, the message 
promised, "The e-mail server of your district will be offline starting at 8:45 am." 

The author made good on the latter threat, and a denial-of -service attack smacked the North Thurston 
Public Schools computer network, generating a relatively modest 1 million packets an hour. Responding 
to the bomb threat, school administrators ordered an evacuation of the high school, but, once again, no 
explosives were found. That began a bizarre cat-and-mouse game between law enforcement and school 
officials and the ersatz cyberterrorist, who e-mailed a new hoax bomb threat every day for several days, 
each triggering a new evacuation. Each threat used the same pseudonym, but was sent fk'om a different, 
newly created Gmail account to complicate tracing efforts. 

On June 7, the hoaxer started issuing threats through other online mediums. In his most brazen move, he 
set up a MySpace profile called Timberlinebombinfo and sent friend requests to 33 classmates. The whole 
time he was daring law enforcement officials to trace him. "The e-mail was sent over a newly made Gmail 
account, from overseas in a foreign country," he wrote in one message. "Seeing as you're too stupid to 
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trace the e-mail back lets (sic) get serious," he taunted in another. "Maybe you should hire Bill Gates to 
tell you that it is coming from Italy. HAHAHA. Oh wait I already told you that it's coming from Italy." 
As promised, attempts to trace the hoaxer dead-ended at a hacked server in Grumello del Monte, Italy. 

The FBI 's Seattle Division contacted the FBI legal attach^ in Rome, who provided an official request to 
the Italian national police for assistance. But on June 12, perhaps fed up with the mocking, the FBI 
applied for and obtained a search warrant authorizing the bureau to send the CIPAV to the 
Timberlinebombinfo MySpace profile. Court documents reveal the search warrant was "executed" June 
. 13 at 5:49 p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP address would 
have been enough to guide the FBI to the teen's front door. John Sinclair, Glazebrook's attorney, says his 
client never intended to blow anything up — "it was a prank from the get-go" — but admits he hacked 
into computers in Italy to launder his activities, and that he launched the denial-of-service attack against 
the school district's network. 

Glazebrook was sentenced Monday to 90 days in custody, and given credit for 32 days he's spent behind 
bars since his arrest. When he's released he'll be on two years' probation with internet and computer 
restrictions, and he's been expelled from high school. The teen is being held at the Thurston County 
Juvenile Detention Center, where he will serve out his sentence, says Sinclair. Sinclair says he was told 
that the FBI had tracked down his client in response to a request from local police — but that he didn't ■ 
know exactly how the bureau did it. 

"The prosecutor made it clear that they wouldn't indicate how this device works or how they do it," says 
Sinclair. "For obvious reasons." Larry Carr, a spokesman with the FBI 's Seattle field office, couldn't 
confirm that the CIPAV is the same software previously known as Magic Lantern, but emphasized that 
the bureau's technological capabilities have grown since the 2001 report. The case shows that FBI 
scientists are equipped to handle internet threats, says Carr. "It sends a message that, if you're going to 
try and do stuff like this online, that we have the ability to track individuals' movements online and bring 
the case to resolution." 


UNCLASSIFIED 


UNCLASSIFIED 


UNCLASSIFIED 
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b6 

b7C 


bl 



DATE: 08-15-2008 

CLASSIFIED BY 60322Taclp/stp/rds 

REASOH: 1.4 (cj 

DECLASSIFY ON: 06-15-2033 


b6 

b7C 

b2 




HEREIN IS UNCLASSIFIED EXCEPT 


Only the IP address and then only once. 


WHERE SHOWN OTHERWISE 


Assistant General Counsel 
Science and Technology Law Unit 
Office of the General Counsel 
Fe deral Bureau of Inv estigation 
Ph] 

Ce\ I 

Ph jsecureTl I 


b6 

b7C 


b2 

b6 

b7C 



1 


T 












How do you feel about asking CyD for $ to implement this effort? 


ALL INFORHATION COHTAIMED 
HEPEIN IS UN.CLASSIFIED EXCEPT 
MHEPE SHOUN OTHERWISE 


b6 

b7C 



ThanksC^Can we request that I I do an EC with all the parlies involved explaining exactly what the traveler 
program is and the scope of it. This should include|~ 

I etc. After speaking with i t his morning, neither o^ us 
have the resources or are even sure whether the FBI should be doing this, but we need a little more info. I can call 
I I if you are busy, but not sure what your schedule is witt) the Director. 


Thanks! 



Please give me a call when you get a chance 


The Computer Intrusion Section, National b?c 


3 


T 


























s 


J 


DATE: 08-15-2008 

CLASSIFIED BY 60322uclp/3tp/r(is 

PEASON: 1.4 (c) 

DECLASSIFY OK; 08-15-2033 


From: 

Sent: 

To: 

Subject: 






he 

hlC 


RE: NIP Request for Quarter 3 - DUE COB Thrsday 06/21 


SECRET , 

record! I 




bl 


ssa I 

Operational Technology Division (OTD) 
Cryptologic and Electronic Analysis Unit (CEAU) 
I (cell) 

(desk) 

ifex) 


•••••Original Mfisagfi--- 

From; I I 

Sent Wednesday. June 20. 2007 9:58 AM 

To: I 

Subject NIP Request for Quarto’ 3 - (XJE COB Tbrsday 06/21 


ALL INFORHATIOH CONTAINED 
HEPEIN IS UNCLASSIFIED EXCEPT 
WHEPE SHOW OTHERUISE 



be 

b7C 

b2 


be 

b7C 



be 

b7C 


DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 

DECLASSIFICATION EXEMPTION 1 

SECRET 


DERIVED FROM: G-3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 
DECLASSIFICATION EXEMPTION 1 
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he 

hlC 




From: 

Sent: 

To: 

Subject: 


W^rin^grfau .lMnA7n ?nfl7 ^ 

RE: NiP Request for Quarter 3 * DUE COB Thrsday 06/21 


SECRET 

record! I 



DATE: 08rl5-2008 

CLASSIFIED BY 60322uclp/stp/rds 

REASON: 1.4 (c) 

DECLASSIFY ON: 03-15-2033 


bl 


— Original MAoong 

From: I 

Sent: Wednesday. June 20. 2007 9:58 AM 

To: I 

Subject: rjiP Request ror quarter 3 - due 0)b Trirsday 06/21 


b6 

b7C 



secret 

recorc{ 


ALL INFORMATION CONTAINED 
•HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 

be 


b7C 


bl 


I need by COB Thursday. Thanksl 



be 

b7C 


DERIVED FROM; G»3 FBI Classification Guide G-3. dated 1/97. Foreign Counterintelligence Investigations 

declassification exemption 1 

SECRET 


DERIVED FROM: G-3 FBI Classification Guide G^. dated 1/97. Foreign Counterintelligence Investigations 

DECLASSIFICATION EXEMPTION 1 

SECRET 
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From: 





Sent: 

Tuesday. June 19. 2007 5:29 PM 

DATE: 08-15-2008 


To: 

I 


1 CLASSIFIED BY 60322uclp/stp/cds 


Subject: 

RE: Reminder 


REASON: 1.4 (c) 

DECLASSIFY ON: OB-lS-2033 



UNCb^SgiFIED 

NOhkftECQRP" 


bl 

(S) 


SSA l 1 

Operational Technology Division 
Digital Evidence Section' 

Cryptologic and Electronic Analysis Unit 

Software Develaoment Group , 


ALL INFDFHATIDN CONTAINCP 

HEFIIH IS UWCLASSIFIEP EXCEPT 

WHEPE SHOWN OTHERWISE ^7' 

h2 


— Original 
From: 

Sent: 

To: 

Subject: 

UNCbASS#IED 

NON-R^O^ 


Sorry to be a pain. But please let me know when you have had a chance to go through the leads so I can look at and 
have answers to remaining by Thursday. Thanks! 


Mfisswe- 


■Rsnmaer 


b6 

b7C 





UN CUg^^lED 


UNCLA^SIf^D 


b6 

b7C 
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) 







From: 

1 

I ALL IHFOPHATIOK COHTAIHED 

Sent: 

Thursday. June 14. 2007 3:23 PM 

HEPZIH IS UITCLASSIFIED EXCEPT 

To: 

I 

I \ WHEM shoxin otheruise 

Subject: 

Seattle Case Summary 

DATE: 09-22-2008 

CLASSIFIED' BY 60322 uc Ip/stp/rds 

UNCLASSIFIED 

NON-RECORD 


PEASOK; 1.4 (c) 

DECLASSIFY OH: 09-22-2033 


•b6 

hlC 


Per your request, the following is a synopsis of the Seattle 
Division's investigation: 

On 06/06/2007, the Seattle Division was contacted by the Lacey Police 
Department (LPD) , Lacey, WA, regarding numerous bomb threats and DDOS 
attacks received at the Timberline School District, Lacey, WA. The threats 
began on 05/30/2007 and persisted through 06/04/2007, The threats 
necessitated the daily evacuation of Timberline High School. The LPD and 
the Washington State Patrol (WSP) performed school evacuations and bomb 
sweeps with negative results. Parents and school district employees 
informed local television stations and newspapers, which aired the story on 
June 6, 2007. As a result, the LPD requested investigative assistance from 
the Northwest Cyber Crime Task Force (NCCTF) headed by. the Seattle \ 
Division. In turn, the Seattle Field Office ' requested assistance from the 
CEAU with geophysically locating the UNSUB-. 


(S) 

:bi 

information obtained from Comcast confirmed the suspicions of Law 
Eriforcement and led to the issuing of a search warrant and arrest warrant. 

A 15 year old male student from Timberline High School was taken into 
custody without incident at his home at approximately 2 A.M. this date. The 
minor confessed to issuing the bomb threats. Bomb threats dated this date 
were found on the minor's computer. The minor's computer equipment was 
seized and the arrest was made without incident. Following an interview 
with the minor, the .LPD was able to clear another threat case, as the minor 
confessed to issuing telephone death threats to teachers and others, 
including his parents, earlier this year. 


SSA| I 

Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 

r.nmgni- 



b6 

b7C 

h2 
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From: 

Sent: 

To: 

Subject: 


[ 




:] 


i-W: 2BBA-Sb-93/(J9 


UN<^S^IFIED 

non^kecorF 


b6 

b7C 

DATE; 08-15-2008 

CLASSIFIED BY 60322uclp/stp/t:ds 

REASON: 1.4 (c) 

DECLASSIFY ON: 08-15-2033 


Here is the opening EC for the Seattle Case. 

ssa I I 

Operational Technology Division 
Digital Evidence Section 
Cryptologic and Electronic Analysis Unit 
Software Development Group 


— Original M 

Prom: 

Sent: 

To: 

Ca 

Subject: 


less^ 

E 


ss=. 




288A-SE-93709 


□ 

3 


unVas^ified 

non M c W . 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOUN OTHERWISE 

b6 

b7C 

b2 


b6 

b7C 


I58nbs01.ec (15 
KB) 
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Subject: RE: Second IP Address 



Thanks for your help. 





ALL, INFOPHATION CONTAIHED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOIdN OTHERWISE 


i)6 

b7C 


■b6 

b7C 

b2 














b6 

b7C 


From: |_ 

Sent: J 

To: [_ 

Subject: FW: 288A-SE-9370^ 


UNa^SlFfED 

N0N«RE50RD“ 


DATE: 08-18-200S 

CLASSIFIED BY 60322ucip/stp/rds 

REASON: 1.4 (c) 

DECLASSIFY ON: 08-18-2033 


You are assigned this case. Please keep me updated. Thanks! 


— Original Mes gaoe-— 
From: 

Sent: 

To: 

Ce: 

Subject: 


Pridav, June fffl. lfl:Sl7gi' 


UN^bASSiPti^D 

NO^R^O^ 


FW: 288A*5E*93;« 


ALL INFORHATIOH CONTAINED 
HERIIM IS UNCLASSIFIED EXCEPT 
WHERE SHOtiN OTHERWISE 


I 1 - Here is the Opening EC we forwarded tc j l yesterday. Thanksj^ 


be 

b7C 


be 

b7C 


be 

b7C 


—“Original Messa 

From: 

1 

Sent: 

Thursday. June 07. 2007 2:12 PM 

To; 1 


Cc: 1 


Subject: 

"2353P5F537C5 

UNCtASStnED 


NON-J^EIX)>^ 


be 

b7C 




K 

I58nbs0l.ec(l5 
KB) 


bl 
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From: 

Sent: 

To: 

Subject: 


UNC^SSlFlED 

NQN-B^RD 


Friday; June W. 

DICLEMENTE, ANTHONY P. (OTD) (FBI) 

RE: UR5214/SE/THREAT INVESTIGATION 08-18-2008 

CLASSIFIED BY 60322ucip/stp/rds 
FEASOH: 1.4 (c) 

DECLASSIFY ON: 08-18-2033 


be 

b7C 


We’re on it. Will advise with updates. 


— Original Message — ; 

From: DIOfMEIfTE, ANTHONY P. (OTD) (FBI) 

Sent: Friday, June 08, 2007 10:02 AM 

To: I ^ 

Ca 


Subject: FW: URS214/SE/THREAT INVESHGATION 


be 

b7C 


UNbiAS^FIED 

NON4?Ei:^R5" 


Pis reach out to Seattle Field Office and offer CEAU assistance relative to CIPAVs and advise. 


Anthony P..DiClemente 

Chief, Electronic Surveillance Technology Section 
Operational Technology Division 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED EXCEPT 
WHERE SHOT® OTHERWISE 


be 

b7C 

b2 


— Original Message — 


From: 

Sent: 

To: 

Cc: 


Subject: 


MOTTA, THOMAS GREGORY (OTD) (FBI) 
Friday. June OS. 2007 9:17 AM 


FW: UR5214/SE/THREAT INVESnCATON 


UN^S^FIED 

NQN-R6CQF^ 


be 

b7C 



1 

bl 


Thos. Gregory Motta 

Section Chief, Digital Evidence Section (OES) 
Operational Technology Division (OTD) 
Engineering Research Facility 


b2 







Being forwarded for your information is Urgent Report 5214 from FBI-Seattle regarding email bomb threats. 



b6 

b7C 

b2 


Original — b6 

From: | I b7C 

Sene Thursday, June 07, 2007 11:46 PM 

To: FBLURGENT REPORTS 

Cc: SE Ail Supervisors 

Sulqece UNSUB TTMBERUNE HIGH SCHOOL - VIOIM, COMPUTER INTRUSION - THREAT; 28BA'SE-93709 



Please see the attached Urgent Report If you have any questions, please feel free to contact me. 



b6 

b7C 


« File: 158brf02.ec » 



A/ASAC Seattle Division 
SSA - Squad 5 

Gang/Ciiminal Enterprise Program; 
Organlied Crime Program; 



be 

b7C 
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s 














From; 

Sent: 

To: 

Cc: 

Subject: 


c 

r 




SENSITIVE BUT UNCbkSSiRI 
NON-RECORD 


(S) 


IFIED 


DATE: 08-18-2008 

CLASSIFIED BY 60322iAclp/scp/rd3 

PEASON: 1.4 (c) 

DECLASSIFY OM: 08-18-2033 


b6 

b7C 

bl 


Hi. l I As promised, here's a copy of the OTO STE policy, including the LEGAT and OPS Plan ECs mentioned in the 
policy: 



>TE Policy.WPD (52 Legat EC.wpd (17 OPERATIONS 
KB) KB) PLAN.wpd (8 KB) 


Read this guidance in context. A tot of it is written for overseas deployment of physical equipment and personnel at the 
request of the foreign government Disregard those entries that don't make sense to your situation. 



Contrary to what I told you, please address the EC to the CEAU Chief, SSA 


Good ta lking with you! 


b6 

b7C 


SENSITIVE BUT UNC 


cbvs^i 


IFIED 


ALL IHFORHATIOK CONTAINED 
HEPEIH IS UNCLASSIFIED EXCEPT 
WHERE SHOWN OTHERWISE 




CEAU Assistance to Seattle Case: 




UNSUB(s); . 

TIMBERLINE SCHOOL DISTRICT (VICTIM); 
COMPUTER INTRUSION - INTERNET EXTORTION 


Background 

On June 6, 2007, the Seattle Division was contacted by the Lacey Police Department 
(LPD), Lacey, WA, regarding numerous bomb threats and Distributed Denial of Service 
(DDOS) attacks received at the Timberline School District, Lacey, WA. The threats 
began on May 30, 2007 and persisted through June 4, 2007, The threats necessitated the 
daily evacuation of Timberline High School. The LPD and the Washington State Patrol 
(WSP) performed school evacuations and bomb sweeps with negative results. Parents 
and school district employees informed local television stations and newspapers, which 
aired the story on June 6, 2007. As a result, the LPD requested investigative assistance 
from the Northwest Cyber Crime Task Force (NCCTF), headed by the FBI Seattle 
Division. In turn, the Seattle Field Office requested assistance from the OTD/CEAU to 
attempt to geo-physically locate the UNSUB(s). 

Assistance Provided 


CEAU deployed a Computer Internet Protocol Address Verifier (CIPAV) to a MySpace 
account identified as possibly belonging to the UNSUB. The CIPAV returned several IP 
addresses, one of which resolved back to Comcast Cable in Seattle, Washington. 
Subscriber information obtained fix)m Comcast led to the issuing of a search and arrest 
warrant. A 15 year old male student firom Timberline High School was taken into custody 
without incident at his home at approximately 2 A.M. June 14, 2007. The minor 
confessed to issuing the bomb threats. Future bomb threats, dated June 14, 2007, were 
found on the minor's computer. The minor's computer equipment was seized and the 
arrest was made without incident. Following an interview with the minor, the LPD was 
able to solve another threat case, as the minor confessed to issuing telephone death 
threats to teachers and others, including his parents, earlier in 2007. 


/ 


ALL INFOREATION CONTAIHED 

HEREIN IS UNCLASSIFIED 

DATE 10-02-2009 BY 60322 UCLP/STP 
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•I . ALL IKTFORHATION COHTAINED 

HEREIN IS UNCLASSIFIED 

DATE 10-02-2009 BY 60322 UC LP/STP 

Pittsbui^ n Investigation (Different case then original ongoing one) 

• 01/04/2007 - SPU referred case to OTD/CEAU 

• 01/31/2007 - ITOS requests OTD/CEAU if remote computer attack can be conducted 
against target 

• 02/07/2007 - SPU contacted CEA U to offer assistance regarding case. CEAU advised that 

it may require l which falls in SEC’S arena. If so, CEAU will coordinate 


with SPU for the task. 

Present - Per Case Agent. CEAU adv ised Pittsburgh ty^ Oiey could assist with [ 


SPU has not heard anything from 


OTD regarding this. 
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Cincinnati Investigation 


Acting Unit Chief, Special Technologi es Operations Unit (STOU) was 
contacted on the evening of February 15, 2007 by S pecial A gent ~l (Sqtiad 13 - 

Cincinnati Division) requesting urgent support . SA l l advised that he was working on a case 
(288A-CI-76037-WB) in which he needed immediate assistance from STOU in analyzing data 
obtained from a Computer and Internet Protocol Address I dentifier ("CIPAV”) inserted in five 
different ! I 

Acording to the Cincinnati's EC, "The CIPAV was previous ly exposed to hackers from 
01/30/2007 to 02/09/2007 but no infonnation was gathered because! ' 
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"Durinff the nerindnf the curre nt search warrant, the Unsub hacker(s) accessed 


pn 02/13/2007 at 12:23:08 Eastern Standard Time 


^''£57''^. The Unsub(s) then proceeded to visit the site 29 more times. In these instances, the 
CIPAV did not deliver its* payload because of system incompatibility. On 02/15/2007 at 
5:29:21 EDT, the system was able to deliver a CIPAV and the CIPAV returned data." 


SA I I requested STOU immediately begin analyzing all data recovered by the CIPAV 
and continue to per form an alysis on an ongoing basis until the termination of CIPAV operations 
on 02/22/ 2007. SAl [expressed the valid concern that the Unsub hackers would be 

“spooked’1 • • — 


1 According to I the hackers are responsible forF 
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STOU engineers immediately engaged in the case and began providing data back to SA 
1 I the veiy next day. STOU continued to provide daily support until the analysis was 
complete. 
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